Penetration testing: what is it and what is its purpose?

Penetration testing and vulnerability assessment

Often the term vulnerability scanning or assessment and penetration testing are two phrases used in interchangeable ways. However, there are certain differences in their meaning as well as implications. When we talk about vulnerability assessment, we mean spotting certain vulnerabilities that remain in a system, Swascan offers an advanced Vulnerability Assessment tool that identifies and solves all vulnerabilities of websites and web applications. On the other hand, penetration test is an authorized attack (which is simulated) on a system to test its security.

The purpose of penetration testing

Penetration testing can be both automated and manual. Despite its method, penetration testing includes several steps such as:

Reconaissance: collecting pieces of information regarding the target before the test begins;

The identification of the exploitable entry points;

The actual or virtual attempt to break in;

The final report that includes the results of the test that has been run.

Starting from this, we can state that the main goal of a pen test is to clearly identify security weak spots. Other than that, it is possible to list other specific objectives of penetration testing:

Test the compliance of the security policy;

Test the awareness of the staff regarding security matters;

Check if and how an organization can face security disasters.

Different kinds of penetration testing

As far as penetration testing is concerned, there are several ways it can be performed. In the following list, we can go through these methods:

External Testing: this test has a specific objective: identifying whether an attacker can get in and how deep can the attacker go once he’s in. Which are the targets of such tests? Anything visible on the internet:

DNS (Domain Name Servers),

Website,

Web applications,…

Internal testing: an internal test is a simulation of an attack performed by an insider. If an attacker manages to steal an employee’s credentials, he already is behind the firewall and this specific test considers this scenario.

Targeted testing: this specific test is run from the pentester and the IT staff of the company. These two entities work side by side and this is helpful to the IT staff that can better understand the attacker’s perspective.

Blind testing: this could be a quite expensive testing methodology. The tester usually has only the company name available as information, anything else is often not provided. This test shows how an actual attack takes place.

Double Blind testing: this test assumes that the IT staff has no knowledge at all about the upcoming attack. This test fakes a could-be-situation where the IT staff has no time to realize what’s going on.

Swascan tools

In order to assure to your business the best tool available, Swascandeveloped a special ( Premio Cisco-Marzotto winner ) cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platformand have an in-depth look at our services. Our three services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).